TNW Sites

Google declares Flash is now ‘fully sandboxed’ in Chrome for Windows, Mac, Linux and Chrome OS

Google today announced that Adobe Flash Player is now “fully sandboxed” in Chrome on all desktop platforms it supports: Windows, Mac, Linux, and Chrome OS. This is a big achievement on the security side of things, especially given the many vulnerabilities and 0-days frequently found in Flash.

For those who don’t know, sandboxing refers to restricting resources and separating programs, in this case Flash, from executing untested and untrusted code from unverified third-parties and Web Sites. Here is how Google describes it for Chrome:

Sandboxing helps prevent malware from installing itself on your computer, or using what happens in one browser tab to affect what happens in another. The sandbox adds an additional layer of protection against malicious web pages that try to leave programs on your computer, monitor your web activities, or steal private information from your hard drive.

Google says sandboxing is now available for Flash “with this release” of Chrome. The most recent version, Chrome 23, arrived last week, which is when the four-year-old browser received its usual dose of security fixes (14 in total), as well as a new version of Adobe Flash.

Yet the company today wanted to underline today that Chrome’s built-in Flash Player on Mac now uses a new plug-in architecture which runs Flash inside a sandbox that’s as strong as Chrome’s native sandbox, and “much more robust than anything else available.” This is great news for Mac users since Flash is so very widely used, and thus is a huge target for cybercriminals pushing malware.

Malware writers love exploiting Flash for the same reasons as they do Java: it’s a cross-platform plugin. Such an attack vector allows them to target more than one operating system, more than one browser, and thus more than one type of user. What Google is doing here is minimizing the chances that its users, namely those using Chrome, will get infected by such threats.

Emil was a reporter for The Next Web between 2012 and 2014. Over the years, he has covered the tech industry for multiple publications, including Ars Technica, Neowin, TechSpot, ZDNet, and CNET. Stay in touch via Facebook, Twitter, and Google+.